Vadim
Thanks for the quick reply and nice spotting of the typo. Unfortunately
the typo was in the email I sent but not in the policy file that I used.
I tried a variety of hyphens and asterisks to handle the classes being
given the permissions and the directory that the permissions relate to
(my understanding is that * implies the specified directory and its
children whereas the - implies the specified directory and its contents
- including all descendant directories).
Still no luck with any of those variants but it is good to know that I
am looking in approximately the right place.
Cheers
Geoff Shuetrim
On Fri, 2005-06-17 at 08:57 -0400, Vadim Gritsenko wrote:
> Geoffrey Shuetrim wrote:
> > I am struggling with the security manager settings for Tomcat 4 running
> > on Sun Java 1.42 (on Debian testing) for Xindice databases that are
> > stored outside of the xindice webapp itself.
> >
> > I have set the dbroot attribute in the xindice system.xml
> > to /var/xindice/db/
> >
> > The db directory is owned by root but is read and write accessible to
> > all (thoughts on which user should own it and what access rights make
> > sense would be much appreciated too).
> >
> > If I start tomcat4 with the security manager turned off, all goes well
> > and the xindice webapp runs fine.
> >
> > If I start tomcat4 with the security manager running but with the
> > security policy configured with the following xindice specific
> > permission
> >
> > grant codeBase "file:{catalina.home}/webapps/xindice/WEB-INF/-" {
> > permission java.io.FilePermission "/var/xindice/db/*",
> > "read,write,delete";
> > };
>
> Probably exception happens because of typo - '$' is missing above. I'm not
> sure
> that '-' syntax allows for sub-directories, so I'd try adding 'classes' to
> the
> path. So result will be:
>
> grant codeBase "file:${catalina.home}/webapps/xindice/WEB-INF/classes/-" {
> permission java.io.FilePermission "/var/xindice/db/*", "read,write,delete";
> };
>
> Vadim
>
>
> > then I expect the xindice application to be able to read, write and
> > delete content in the /var/xindice/db.
> >
> > Sadly, I get the following stack trace as the root cause of a problem:
> >
> > java.security.AccessControlException: access denied
> > (java.io.FilePermission /var/xindice/db read)
> > at
> > java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
> > at
> > java.security.AccessController.checkPermission(AccessController.java:401)
> ...
> >
> > Any thoughts on how to sort this out without turning off the security
> > manager?
> >
> > Regards
> >
> > Geoff Shuetrim
>
